devsec - build security in and dance like a pro!
TRANSCRIPT
![Page 2: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/2.jpg)
“THEY” ARE AFTER YOU
WHO? WHY?
![Page 3: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/3.jpg)
BECAUSE LULZ
BECAUSE MONEY
![Page 4: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/4.jpg)
HOW DO “THEY” GET IN?
![Page 5: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/5.jpg)
CYBER CRIME 2010-2020
![Page 6: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/6.jpg)
.. FUNNY LIKE NPM INSTALL
![Page 7: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/7.jpg)
http://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
WAT ?
![Page 8: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/8.jpg)
CLOUD! AWESOME! AGILE!
![Page 9: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/9.jpg)
A FIX IS IMMINENT,
I PRESUME
![Page 10: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/10.jpg)
RED TEAMING
IDS & SIEM
WAF
![Page 11: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/11.jpg)
JUST
#DEVSEC + #OPSEC =
#DEVSECOPS ?
![Page 12: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/12.jpg)
DEVSEC MATURITY –SOLITA SCALE (1-5)
![Page 13: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/13.jpg)
LEVEL 1, INTRO 👣
› Clear responsibility for security.
› Controlled process for access.
› Define policy and process.
› Ascertain people follow it.
› Motivate. Explain the reasons.
![Page 14: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/14.jpg)
LEVEL 2, BEGINNER 👣
› Tackle OWASP Top 10.
› Perform threat analysis.
› Invest in learning and education.
› Practice.
› Involve customers.
👣👣
![Page 15: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/15.jpg)
LEVEL 3, DANCING 👣
› Audit logs.
› Process & env audit.
› Secure Programming• Especially system integrations.
› Define processes. Improve.
› Create templates.
› Involve customers.
![Page 16: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/16.jpg)
PRO TIP: ATTACK YOURSELF TODAY!
![Page 17: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/17.jpg)
LEVEL 4, TOOLS 👣 👞 👢
› Penetration testing.
› Automated vulnerability scans.
› Automated test cases for security.
› Get hackers.
› Get tools.
› Practice.
![Page 18: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/18.jpg)
PRO TIP: GROW HACKERS!
HIRING IS DIFFICULT
![Page 19: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/19.jpg)
LEVEL 5, LIKE A PRO 🐾› Practice incident response.
› Hardened environments.
› Start Bug Bounty.• (if appropriate)
› Form incident response team.
› Go easy with bug bounty first.
![Page 20: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/20.jpg)
DEVSEC –BUILD SECURITY IN!Let’s get technical!
![Page 21: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/21.jpg)
DEVSEC IS A TEAM EFFORT
![Page 22: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/22.jpg)
https://github.com/lokori/docker-devsec-demo
![Page 23: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/23.jpg)
DevSec
Ops
Fix your processes!
Find developers with hacker mind.Invest in people, not tools.Leverage DevOps & automate.
Client Manager
![Page 24: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/24.jpg)
FURTHER MATERIAL
› Security Pipeline PoC: https://github.com/lokori/docker-devsec-demo
› OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
› Kybertestaus, referenssi : https://github.com/solita/kyberoppi
› Why and how web app security fails: https://www.slideshare.net/Solita_Oy/webapp-securitytut2017
› MOOC course on hacking and security: https://cybersecuritybase.github.io/
› Microsoft SDL: https://www.microsoft.com/en-us/sdl/
![Page 25: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/25.jpg)
TOOLS AND PLATFORMS› HackerOne (Bug Bounty platform): https://www.hackerone.com/
› BugCrowd (Bug Bounty platfrom): https://www.bugcrowd.com/
› OSCP (proof of skills): https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/
› Kali Linux: https://www.kali.org/
› ZAP Proxy: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
› Burp Proxy: https://portswigger.net/burp
› Metasploit: https://www.metasploit.com/
![Page 26: DevSec - build security in and dance like a pro!](https://reader031.vdocument.in/reader031/viewer/2022030317/5a647bf17f8b9a27568b4e09/html5/thumbnails/26.jpg)